Update sepgsql to add mandatory access control for TRUNCATE

Enterprise / PostgreSQL - Joe Conway [joeconway.com] - 23 November 2019 15:46 EST

Use SELinux "db_table: { truncate }" to check if permission is granted to TRUNCATE. Update example SELinux policy to grant needed permission for TRUNCATE. Add new regression test to demonstrate a positive and negative cases. Test will only be run if the loaded SELinux policy has the "db_table: { truncate }" permission. Makes use of recent commit which added object TRUNCATE hook. Patch by Yuli Khodorkovskiy with minor editorialization by me. Not back-patched because the object TRUNCATE hook was not.

Author: Yuli Khodorkovskiy

4f66c93f61 Update sepgsql to add mandatory access control for TRUNCATE
contrib/sepgsql/expected/truncate.out | 46 +++++++++++++++++++++++++++++++++++
contrib/sepgsql/hooks.c | 14 +++++++++++
contrib/sepgsql/relation.c | 40 ++++++++++++++++++++++++++++++
contrib/sepgsql/selinux.c | 3 +++
contrib/sepgsql/sepgsql-regtest.te | 8 ++++++
contrib/sepgsql/sepgsql.h | 2 ++
contrib/sepgsql/sql/truncate.sql | 24 ++++++++++++++++++
contrib/sepgsql/test_sepgsql | 16 +++++++++++-
8 files changed, 152 insertions(+), 1 deletion(-)

Upstream: git.postgresql.org


  • Share